Security Bugs--

Bugs happen. We know this to be as true as other fundamental laws of physics so long as we have humans writing code to bring new features and improvements to Chromium. We also know some of these bugs will have security consequences, so we do a number of things to prevent, identify, and fix Chromium security bugs.

Security fuzzing

We've build fuzzing infrastructure that automatically and continuously security "fuzz" test Chrome to find new bugs and help engineers patch and test fixes. ClusterFuzz, as the system is affectionately named, consists of 12000+ cores and fuzzes hundreds of millions of test cases each day to produce de-duplicated security bugs with small reproducible test cases. Since it was built (in 2009), ClusterFuzz has helped us find and fix roughly two thousand security bugs in Chromium and other third party software.

Vulnerability Response and Remediation

The security sheriff is a rotating role that handles all incoming and open security bugs. to all reported security bugs. We are committed to releasing a fix for any critical security vulnerabilities in under 60 days.

Rewarding Vulnerability Research

We try to reward awesome security research from external folks in a few ways:

Pwnium is a contest we run semi-regularly for proof-of-concept Chrome exploits. Our motivation is simple: we have a big learning opportunity when we receive full end-to-end exploits. Not only can we fix the bugs, but by studying the vulnerability and exploit techniques we can enhance our mitigations, automated testing, and sandboxing. This enables us to better protect our users.